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502 



Prover 



CryptoParams = (Group , g , G , p , q) 



150 



--^ Verifier 



C^go 
(^"l,....^»ir) = (Ji Xt) 


{X\,...,X^\{Y\,...,Y}^),C ^ 


{^^...,^^ir) = (ri 4) 


publicly known 


with property that 
k k 

i=l i=l 

for each 01/ li" generate random 
Ri=gri 


-^504 


for each i<.ii.k = rj Uj 




Wi = g^i 




Zj=Wj/Vj 

Zi^g^i 





i: 



Proof Data: 

1) For each l<.i<.k Chaunn-Pederson proofs for 
[Ri^lJi^RiJi) and [YfAVi^Z^ 


^506 


RffWjfZj^Zjior each l^ii.k and Rq 


^508 

Verify Correctness 
of Proof Data 

- Accept/Reject 


and Chaum-Pederson Proof Data 



Fig. 3 
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Shuffler 



CryptoParams = (Group , g , G , p , q) 



Verifier 



130 



(^'"i,...,^"*) = (^l Xj,) 

/"^(^))=(n,....rj^) 


-^404 


^406 


^ (random) 


Generoie t 






T^gt 
S-gCt-TO 
Secretly Generated 

Ui = Xi/T 
Vi = Yi/S 
Publicly Generated 


-^408 





I 



Proof Data: 

1) Chaum Pederson Proof for [g, C, T, S) 






2) Scaled Iterated LogaritJimic 
Multiplication proof for 
{X\,...,X]^, {Y\ Y]^ 


-^410 


^412 










Proof Data 


Verify Correctness 
of Proof Data 














- Accept/Reject 



Fig. 4 
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Shuffler, S^* CryptoParams = (Group , g . G . p . q) ^ 


C^gc 

m w 

(J7T(l)v...l7T(J^)) = (^f.....4) 


^404 


{X\,...,X]^, {Y\,...,Y}^),C 


publicly known 



150 



- Verifier. V 



For each 11/11:, generate u, randomly 
Ui = g^i 



Vi^g^iUi 

Uj = Uj + €j -loggUj (known only to S) 
generate random secret, d 



■504 



For each 11/1 A, 
generate e,- randomly 



'506 



■508 



( Vi V^) = {U^{i) U^{k)) (that is. {V^-i{i ) Vt,-i{i,)) = (C^il..i^/) ) 

D=gd 

Secretly Generated 



/=1 

Publicly Generated 



408, 410 



Proof Data 

1) Simple Shuffle Proof for ( Fj,..., Fjj.) 



2) For each 1 1 / Ifc Chaum-Pederson proofs for 
{gJiJiAi) and {g,Ui,Yi,Bi} 

3) Chaum-Pederson proofs ior{DJ,C,B) 
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Verify Correctness 
of Proof Data 

- Accept/Reject 



'512 



Fig. 5 
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CryptoParams = (Group , g , p , q) | — published 



Fig. 6 
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[K-H)-^%\ of standard public keys = [hj hj^\ 



W4 



Registrants each know corresponding private key, sj such that bj ,...,g^J 
ZE 
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Optional Randomization by Authorities 

In sequence, each authority performs verifiable shuffle on H using {G,C,=G^) as the 
shuffle commitment, and returns the shuffled set, H', along with the shuffle verfication 
transcript, T{H,H',G,C). 

If the verification transcript is correct. Registration Server performs the substitutions 

G-C H-H' 

and stores the previous values, along with the shuffle verification transcript for audit 
purposes. 

(This can be performed as part of initialization, and/or, at any intermediate stage of 
anonymous certificate generation.) 



Anonymous Certificate Request and Generation Phase (each registrant in turn) 



I f Registrant ^ 612 



Generate Request 



anonymous authentication request 



Registration Server 



1) compute shuffle (and 
verification transcript) 

2) Generate PKI Certificate Request 
with "random identifying information' 

3) Safely store corresponding private 
key for this request. 



G,H 



T{H,H',G,C), e = cs 
and Index, l^yiir 



Retrieve G,H 



^614 
^618 
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616 



Certificate 
Request 



n(i?) 



deny request 



1) Check shuffle verification transcript 

2) Check Ay =G'^ 

If both checks pass 

3) Set K^H^H'-\b'i\ 
' G-C J 

k=k-l 

4) %\mT {H,H',G,C) 
for audit purposes 

5) Digitally sign R thereby creating 
PKI Certificate, fi [R) 

Else, if any check fails 



Loop to beginning of this phase (ready for next anonymous authentication request) 



Initialization 



^502 1/1 



CryptoParams = (Group , g , p , q) — published 



T 



Fig. 7 
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K - set of standard public l<ey pairs = V^704 



Registrants each l(now corresponding private key, sj such that hj = gj^j 
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OpiionQl Randomization by Authorities 

In sequence, each authority perfornns verifiable shuffle (of pairs) on fusing (^,C=^^) 
as the shuffle commitnnent, and returns the shuffled set, J' , along with the shuffle 
verification transcript, T{K,K\G,C) 

If the verification transcript is correct. Registration Server performs the substitution 

and stores the previous values, along with the shuffle verification transcript for audit 
purposes. 

(This can be performed as part of initialization, and/or, at any intermediate stage of 
anonymous certificate distribution.) 



Anonymous Certificate Request and Generation Phase (each registrant in turn) 



Registrant ^612 



Generate Request 



anonymous authentication request 



Registration Server 



g (contains registrant's public key) 



T{M,HKg.C), P 



R=?Y\ Certificate Request 



1) Select subset M<=^H 
of size i:'^ land set 

1) Compute shuffle, H\ 
oi M and verification transcript 

3) Generate zero knowledge proof, P 
that registrant knows exponent s such 

that {gj)^ = h'j G H' for specified index, 11/^ 

4) Generate PKI Certificate Request 
with "random identifying information" 

5) Safely store private key 
corresponding to this certificate request 
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Retrieve H 



^7f4 



718 



Q{R) 



deny request 



1) Check shuffle verification transcript 

2) Check? 

If both checks pass 

3) Set K=JUM'U{H'-\{g',;b')l) 

k=k-\ ^ ^ 

4) StoreJ'(¥,^r:^,C) 
for audit purposes 

5) Digitally sign R thereby creating 
PKI Certificate, fi [R) 

Else, if any check fails 



Loop to beginning of this phase (ready for next anonymous authentication request) 



